Full Report
Overview AhnLab is monitoring Advanced Persistent Threat (APT) attacks in South Korea using its own infrastructure. This report covers the classification and statistics of APT attacks in South Korea that have been identified over the course of a month in January 2025, as well as the features of each attack type. Figure 1. January […]
Analysis Summary
# Threat Actor: Unspecified APT Actor (Active in South Korea)
## Attribution & Identity
South Korean security vendor AhnLab is monitoring these activities, classifying them simply as "Advanced Persistent Threat (APT) attacks" operating against South Korean targets. No specific threat actor name or attribution beyond "APT" is provided in the context.
## Activity Summary
The primary activity observed during January 2025 targeted organizations in South Korea. The dominant initial access vector was spear phishing, which accounted for the highest proportion of penetration attempts tracked for the month. Two distinct spear-phishing methods utilizing malicious LNK files were identified:
1. **Type A:** Involved distributing compressed CAB files containing malicious scripts (bat, ps1, vbs) designed for information exfiltration and downloading further malware. Execution was initiated via a malicious PowerShell command embedded in the LNK file, which unpacked data and decoy documents.
2. **Type B:** Involved downloading a CAB file containing a malicious, obfuscated Python script. Execution chain started with an obfuscated batch file launched via PowerShell, which downloaded the CAB file. The Python script was then registered in the Task Scheduler for persistent execution, leading to further malware download and execution.
## Tactics, Techniques & Procedures
- **Initial Access:** Spear Phishing (T1566.001 - Spearphishing Attachment)
- **Execution:** Utilization of LNK files disguised as legitimate documents.
- **Execution Chain:** PowerShell execution commands embedded in LNK files to extract and execute contents of an archive (CAB).
- **Defense Evasion:** Use of multiple script types (BAT, PowerShell - T1059.001, VBScript - T1059.003) and obfuscation techniques against Python scripts.
- **Persistence:** Registering malicious payloads in Task Scheduler using the Python script execution chain (T1053.005 - Scheduled Task).
- **Lateral Movement/Impact:** Information exfiltration and downloading additional malware.
*Note: Specific MITRE ATT&CK IDs are provided based on the described techniques where clearly identifiable.*
## Targeting
- **Sectors:** General targets within South Korea; one confirmed malicious file name mentions "Democratic Party Political Council," suggesting potential political or governmental interest.
- **Geography:** South Korea.
- **Victims:** Unspecified organizations/individuals targeted via tailored spear phishing.
## Tools & Infrastructure
- **Malware families used:** Malicious PowerShell scripts, BAT scripts, VBScript, Python scripts, Webshells (implied by downloaders).
- **Infrastructure (C2, domains, IPs - defang URLs):**
- `http[:]//118[.]194[.]249[.]90/chatgpt[.]com-c677f2b2b-4eb0-8000-b492`
- `http[:]//152[.]32[.]243[.]240/logins[.]daum[.]netaccountsloginform[.]dourlhttpswww[.]daum[.]net/9993458123619519` (Appears to target Daum credentials)
- `http[:]//152[.]32[.]243[.]240/www[.]microsoft[.]comen_usmicrosoft_365outlookamail_and_calendar/02395347510`
- `http[:]//158[.]247[.]197[.]181/chatgpt[.]comc6792e271-3244-8000-aa5a`
- `http[:]//158[.]247[.]197[.]181/mail[.]google[.]commailuinbox/101087693290690245/tomcat[.]php?tomas=bdefend` (Appears to target Google/Gmail credentials)
- Associated IP: `94[.]103[.]87[.]212` (Context suggests this might be a known C2 or related infrastructure element, though not explicitly linked to the Type B download URLs).
## Implications
The observed actor displays resourcefulness in social engineering, moving beyond simple attachments to chained execution utilizing native OS capabilities (PowerShell, Task Scheduler) and archive formats (CAB) to hide malicious payloads. The targeting of specific South Korean entities and the use of lures related to tax acts, political topics, and common service providers (Daum, Google) indicate a high-value, targeted espionage or disruptive campaign capability.
## Mitigations
- Enhance email gateway security to block inbound LNK files and CAB archives originating from untrusted sources.
- Implement strict PowerShell logging and application control (e.g., constrained language mode) to monitor and restrict obfuscated command execution.
- Disable or restrict the execution of scripts from non-standard locations like the TEMP or ProgramData folders.
- Monitor for suspicious entries being created in the Windows Task Scheduler that point to unusual executables or encoded commands.
- Harden systems against credential harvesting attempts, particularly those impersonating navigation to `daum.net` or `google.com`, as indicated by the C2 URLs.